Research by popular blockchain -trackz -Zachxbt has discovered extensive North Korean infiltration on the global job market for cryptocurrency development.
An unnamed source recently joined a device of a DVK IT employee and gave an unprecedented insight into how a small team of five IT employees operated more than 30 fake identities.
DVK agents overflow crypto job market
According to the tweets from Zachxbt used IDs issued by the government to register accounts about Upwork and LinkedIn to obtain developers on multiple projects. Researchers found an export of the Google Drive of the employees, Chrome Profiles and Screenshots, which showed that Google products were central to organizing schemes, tasks and budgets, with communication that was mainly carried out in English.
Among the documents is a spreadsheet from 2025 with weekly reports from team members, which shed light on their internal activities and mindset. Typical entries contain statements such as “I can’t understand the task requirement and don’t know what to do”, with self -driven nuts such as “Solution / Fix: putting enough efforts in the heart.”
Another spreadsheet follows costs, shows purchases of sofien numbers, Upwork and LinkedIn compwards, telephone numbers, AI subscriptions, computer rental and VPN or Proxy services. Meeting schedules and scripts for fake identities, including one under the name “Henry Zhang”, were also restored.
Allegedly, the operational methods of the team were involved in buying or renting computers, the use of Anydesk to perform work remotely and to turn Fiat into Cryptocurrency via Payoneer. One wallet address, 0x78e1, associated with the group, is connected in the chain with an exploit of $ 680,000 at Favrr in June 2025, where the CTO of the project and other developers were later identified as DPRK IT employees who use fraudulent documents. Extra DPRK linked employees were connected to projects via the 0x78E1 address.
Indicators of their North Korean origin include frequent use of Google Translate for Korean language search assignments carried out from Russian IP addresses. Zachxbt said that these IT employees are not particularly refined, but their perseverance is reinforced by the large number of roles on which they focus all over the world.
Challenges in combating these activities include poor cooperation between private companies and services, as well as resistance of teams when fraudulent activity is reported.
North -Korea’s persistent threat
North Korean hackers, in particular the Lazarus group, continue to pose an important threat to industry. In February 2025, the group orchestrated the largest crypto exchange shack in history, because it was around $ 1.5 billion in Ethereum from Bybit in Dubai Stal.
The attack used vulnerabilities in a third-party wallet, safe {wallet}, with which the hackers multi-signature security measures and siphon funds in multiple portfolios could bypass. The FBI attributed the infringement to North Korean agents and labeled the “Tradertratraitor”.
Subsequently, in July 2025, Coindcx, an Indian cryptocurrency fair, was the victim of a $ 44 million robbery, which was also linked to the Lazarus group. The attackers infiltrated the liquidity infrastructure of Coindcx and used internal references to perform the theft.
Binance free $ 600 (excluding cryptopotato): Use this link to register a new account and receive $ 600 excluding welcome offer on Binance (Full details).
Limited offer for Cryptopotato readers at Bybit: Use this link to register and open a free function of $ 500 on each coin!
#Google #Documents #Upwork #LinkedIn #Noord #Korean #Workers #Secret #Crypto #Operations